- Added whitelist site setting for allowed file extensions to upload via media module.

- Hardcoded blacklist: web.config - Superuser immune to whitelist restriction - Zip files still allowed even if not in the list since these are expanded by the media module to allow for multi upload. - Files within a zip must still pass white/black-list test per normal rules (file is skipped if not). --HG-- branch : dev
2025-09-23 12:53:33 +08:00 · 2010-11-04 12:01:07 -07:00
parent e414469e0f
commit 79bec8cee6
10 changed files with 144 additions and 10 deletions
--- a/src/Orchard.Web/Modules/Orchard.Media/Controllers/AdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Media/Controllers/AdminController.cs
@@ -3,10 +3,13 @@ using System.Collections.Generic;
 using System.IO;
 using System.Web;
 using System.Web.Mvc;
+using JetBrains.Annotations;
+using Orchard.ContentManagement;
 using Orchard.Localization;
 using Orchard.Media.Models;
 using Orchard.Media.Services;
 using Orchard.Media.ViewModels;
+using Orchard.Settings;
 using Orchard.UI.Notify;
 using Orchard.Utility.Extensions;

@@ -153,6 +156,15 @@ namespace Orchard.Media.Controllers {
                if (!ModelState.IsValid)
                    return View(viewModel);

+                // first validate them all
+                foreach (string fileName in Request.Files) {
+                    HttpPostedFileBase file = Request.Files[fileName];
+                    if (!_mediaService.FileAllowed(file)) {
+                        ModelState.AddModelError("File", T("That file type is not allowed.").ToString());
+                        return View(viewModel);
+                    }
+                }
+                // then save them
                foreach (string fileName in Request.Files) {
                    HttpPostedFileBase file = Request.Files[fileName];
                    _mediaService.UploadMediaFile(viewModel.MediaPath, file);